diff --git a/tekton/v1/pipelines/pingcap-build-package-darwin.yaml b/tekton/v1/pipelines/pingcap-build-package-darwin.yaml index 803840302..c8c0f206c 100644 --- a/tekton/v1/pipelines/pingcap-build-package-darwin.yaml +++ b/tekton/v1/pipelines/pingcap-build-package-darwin.yaml @@ -73,6 +73,9 @@ spec: description: The workspace where the git repo will be cloned. - name: mac-ssh-credentials description: secret contains ssh private key in `id_rsa` key for login mac + - name: publisher-auth + description: Optional. Credentials for publisher basic auth. + optional: true tasks: - name: checkout retries: 2 @@ -191,6 +194,9 @@ spec: value: $(tasks.build-binaries.results.pushed) - name: publisher-url value: "$(params.publisher-url)" + workspaces: + - name: publisher-auth + workspace: publisher-auth - name: deliver-images when: - input: "$(params.push)" diff --git a/tekton/v1/pipelines/pingcap-build-package-linux.yaml b/tekton/v1/pipelines/pingcap-build-package-linux.yaml index 2a71d8adb..834b61441 100644 --- a/tekton/v1/pipelines/pingcap-build-package-linux.yaml +++ b/tekton/v1/pipelines/pingcap-build-package-linux.yaml @@ -76,6 +76,9 @@ spec: - name: cypress-cache description: cache for cypress installation files when building frontend projects. optional: true + - name: publisher-auth + description: Optional. Credentials for publisher basic auth. + optional: true tasks: - name: checkout retries: 2 @@ -218,6 +221,9 @@ spec: value: $(tasks.build-binaries.results.pushed) - name: publisher-url value: "$(params.publisher-url)" + workspaces: + - name: publisher-auth + workspace: publisher-auth - name: deliver-images retries: 2 when: diff --git a/tekton/v1/tasks/delivery/pingcap-deliver-binaries.yaml b/tekton/v1/tasks/delivery/pingcap-deliver-binaries.yaml index 5ca99360d..18360ba89 100644 --- a/tekton/v1/tasks/delivery/pingcap-deliver-binaries.yaml +++ b/tekton/v1/tasks/delivery/pingcap-deliver-binaries.yaml @@ -4,7 +4,7 @@ kind: Task metadata: name: pingcap-deliver-binaries labels: - app.kubernetes.io/version: "0.1.0" + app.kubernetes.io/version: "0.2.0" annotations: tekton.dev/pipelines.minVersion: "1.0.0" tekton.dev/categories: delivery @@ -26,6 +26,12 @@ spec: - name: notify-webhook-url description: URL of the webhook for notification default: "http://el-harbor:8080" + workspaces: + - name: publisher-auth + description: | + Optional. Kubernetes Secret with keys 'username' and 'password'. + If provided, the task will use basic auth when calling the publisher. + optional: true stepTemplate: image: ghcr.io/pingcap-qe/cd/utils/release:v2025.10.26-7-geb77a69 computeResources: @@ -45,11 +51,22 @@ spec: targetsInfo="/workspace/delivery-targets.yaml" oci_src="$(params.src)" publisher_url="$(params.publisher-url)/tiup/delivery-by-rules" + auth_opt="" + + # If publisher-auth workspace is provided, use basic auth + if [ -f "$(workspaces.publisher-auth.path)/username" ] && \ + [ -f "$(workspaces.publisher-auth.path)/password" ]; then + user="$(cat $(workspaces.publisher-auth.path)/username)" + pass="$(cat $(workspaces.publisher-auth.path)/password)" + auth_opt="-u '${user}:${pass}'" + fi deliver() { local artifact_url="$1" echo "Delivering artifact_url: $artifact_url" + # shellcheck disable=SC2086 response=$(curl -s -X POST "$publisher_url" \ + $auth_opt \ -H "Content-Type: application/json" \ -d "{\"artifact_url\":\"$artifact_url\"}") echo "Response: $response" diff --git a/tekton/v1/triggers/bindings/gcp-classic-build-params.yaml b/tekton/v1/triggers/bindings/gcp-classic-build-params.yaml index ef9bb1a64..1784f0505 100644 --- a/tekton/v1/triggers/bindings/gcp-classic-build-params.yaml +++ b/tekton/v1/triggers/bindings/gcp-classic-build-params.yaml @@ -6,5 +6,7 @@ spec: params: - name: registry value: us-docker.pkg.dev/pingcap-testing-account/hub + - name: publisher-auth-secret-name + value: publisher-auth - name: publisher-url value: "https://do2.pingcap.net/publisher" diff --git a/tekton/v1/triggers/bindings/gcp-internal-build-params.yaml b/tekton/v1/triggers/bindings/gcp-internal-build-params.yaml index 26e282883..b75cb0e6e 100644 --- a/tekton/v1/triggers/bindings/gcp-internal-build-params.yaml +++ b/tekton/v1/triggers/bindings/gcp-internal-build-params.yaml @@ -6,5 +6,7 @@ spec: params: - name: registry value: us-docker.pkg.dev/pingcap-testing-account/internal + - name: publisher-auth-secret-name + value: publisher-auth - name: publisher-url value: "https://do2.pingcap.net/publisher" diff --git a/tekton/v1/triggers/bindings/gcp-ng-build-params.yaml b/tekton/v1/triggers/bindings/gcp-ng-build-params.yaml index 5da9c2a95..1735da2a5 100644 --- a/tekton/v1/triggers/bindings/gcp-ng-build-params.yaml +++ b/tekton/v1/triggers/bindings/gcp-ng-build-params.yaml @@ -6,6 +6,7 @@ spec: params: - { name: builder-resources-cpu, value: $(extensions.resource-config.cpu) } - { name: builder-resources-memory, value: $(extensions.resource-config.memory) } + - { name: publisher-auth-secret-name, value: publisher-auth } - { name: publisher-url, value: "https://do2.pingcap.net/publisher" } - { name: registry, value: us-docker.pkg.dev/pingcap-testing-account/tidbx } - { name: source-ws-size, value: $(extensions.resource-config.sourceWsSize) } diff --git a/tekton/v1/triggers/bindings/ksy-classic-build-params.yaml b/tekton/v1/triggers/bindings/ksy-classic-build-params.yaml index 812b3f6fb..16ea40b3f 100644 --- a/tekton/v1/triggers/bindings/ksy-classic-build-params.yaml +++ b/tekton/v1/triggers/bindings/ksy-classic-build-params.yaml @@ -8,9 +8,11 @@ spec: value: us-docker.pkg.dev/pingcap-testing-account/hub - name: boskos-server-url value: http://boskos.ee-cd.svc + - name: publisher-auth-secret-name + value: publisher-auth - name: publisher-url value: https://publisher.pingcap.net - name: git-instead-of value: >- - https://github.com/ => http://git-cdn.cache.svc:8000/, - git@github.com: => http://git-cdn.cache.svc:8000/ + https://github.com/ => http://git-cdn.cache.svc:8000/, git@github.com: + => http://git-cdn.cache.svc:8000/ diff --git a/tekton/v1/triggers/bindings/ksy-dev-build-params.yaml b/tekton/v1/triggers/bindings/ksy-dev-build-params.yaml index 5040ef010..4ac600f36 100644 --- a/tekton/v1/triggers/bindings/ksy-dev-build-params.yaml +++ b/tekton/v1/triggers/bindings/ksy-dev-build-params.yaml @@ -4,18 +4,19 @@ metadata: name: ksy-dev-build-params # only use in KSY clusters for dev-builds spec: params: - - { name: boskos-server-url, value: http://boskos.ee-cd.svc } - - { name: builder-resources-cpu, value: $(extensions.resource-config.cpu) } - - { name: builder-resources-memory, value: $(extensions.resource-config.memory) } - - { name: ce-context, value: $(extensions.ce-context) } - - { name: component, value: $(extensions.component) } - - { name: force-builder-image, value: $(extensions.custom-params.builder-image) } - - { name: profile, value: $(extensions.custom-params.profile) } - - { name: publisher-url, value: "" } # no need publish in dev-builds - - { name: registry, value: $(extensions.registry) } - - { name: source-ws-size, value: $(extensions.resource-config.sourceWsSize) } - - { name: timeout, value: $(extensions.resource-config.timeout) } + - {name: boskos-server-url, value: http://boskos.ee-cd.svc} + - {name: builder-resources-cpu, value: $(extensions.resource-config.cpu)} + - {name: builder-resources-memory, value: $(extensions.resource-config.memory)} + - {name: ce-context, value: $(extensions.ce-context)} + - {name: component, value: $(extensions.component)} + - {name: force-builder-image, value: $(extensions.custom-params.builder-image)} + - {name: profile, value: $(extensions.custom-params.profile)} + - {name: publisher-auth-secret-name, value: publisher-auth} + - {name: publisher-url, value: ""} # no need publish in dev-builds + - {name: registry, value: $(extensions.registry)} + - {name: source-ws-size, value: $(extensions.resource-config.sourceWsSize)} + - {name: timeout, value: $(extensions.resource-config.timeout)} - name: git-instead-of value: >- - https://github.com/ => http://git-cdn.cache.svc:8000/, - git@github.com: => http://git-cdn.cache.svc:8000/ + https://github.com/ => http://git-cdn.cache.svc:8000/, git@github.com: + => http://git-cdn.cache.svc:8000/ diff --git a/tekton/v1/triggers/templates/_/build-component-all-platforms.yaml b/tekton/v1/triggers/templates/_/build-component-all-platforms.yaml index f0b97b353..5de80c50e 100644 --- a/tekton/v1/triggers/templates/_/build-component-all-platforms.yaml +++ b/tekton/v1/triggers/templates/_/build-component-all-platforms.yaml @@ -36,6 +36,9 @@ spec: default: "" - name: boskos-server-url default: "http://boskos" + - name: publisher-auth-secret-name + description: Name of the Secret containing publisher basic auth credentials. + default: publisher-auth - name: publisher-url default: "https://publisher.pingcap.net" - name: git-instead-of @@ -125,6 +128,9 @@ spec: # - name: cypress-cache # persistentVolumeClaim: # claimName: cypress-cache + - name: publisher-auth + secret: + secretName: $(tt.params.publisher-auth-secret-name) - apiVersion: tekton.dev/v1 kind: PipelineRun metadata: @@ -205,6 +211,9 @@ spec: # - name: cypress-cache # persistentVolumeClaim: # claimName: cypress-cache + - name: publisher-auth + secret: + secretName: $(tt.params.publisher-auth-secret-name) - apiVersion: tekton.dev/v1 kind: PipelineRun metadata: @@ -267,6 +276,9 @@ spec: - name: mac-ssh-credentials secret: secretName: mac-ssh-credentials + - name: publisher-auth + secret: + secretName: $(tt.params.publisher-auth-secret-name) - apiVersion: tekton.dev/v1 kind: PipelineRun metadata: @@ -329,3 +341,6 @@ spec: - name: mac-ssh-credentials secret: secretName: mac-ssh-credentials + - name: publisher-auth + secret: + secretName: $(tt.params.publisher-auth-secret-name) diff --git a/tekton/v1/triggers/templates/_/build-component-darwin.yaml b/tekton/v1/triggers/templates/_/build-component-darwin.yaml index 58f073f45..6a9473b13 100644 --- a/tekton/v1/triggers/templates/_/build-component-darwin.yaml +++ b/tekton/v1/triggers/templates/_/build-component-darwin.yaml @@ -35,6 +35,9 @@ spec: default: "" - name: boskos-server-url default: "http://boskos" + - name: publisher-auth-secret-name + description: Name of the Secret containing publisher basic auth credentials. + default: publisher-auth - name: publisher-url default: "https://publisher.pingcap.net" - name: git-instead-of @@ -110,6 +113,9 @@ spec: - name: mac-ssh-credentials secret: secretName: mac-ssh-credentials + - name: publisher-auth + secret: + secretName: $(tt.params.publisher-auth-secret-name) - apiVersion: tekton.dev/v1 kind: PipelineRun metadata: @@ -176,3 +182,6 @@ spec: - name: mac-ssh-credentials secret: secretName: mac-ssh-credentials + - name: publisher-auth + secret: + secretName: $(tt.params.publisher-auth-secret-name) diff --git a/tekton/v1/triggers/templates/_/build-component-linux.yaml b/tekton/v1/triggers/templates/_/build-component-linux.yaml index 1cf89e173..178e946f4 100644 --- a/tekton/v1/triggers/templates/_/build-component-linux.yaml +++ b/tekton/v1/triggers/templates/_/build-component-linux.yaml @@ -37,6 +37,9 @@ spec: - name: force-builder-image description: force use the builder image to prepare container to build binaries. default: "" + - name: publisher-auth-secret-name + description: Name of the Secret containing publisher basic auth credentials. + default: publisher-auth - name: publisher-url default: "https://publisher.pingcap.net" - name: git-instead-of @@ -126,6 +129,9 @@ spec: # - name: cypress-cache # persistentVolumeClaim: # claimName: cypress-cache + - name: publisher-auth + secret: + secretName: $(tt.params.publisher-auth-secret-name) - apiVersion: tekton.dev/v1 kind: PipelineRun metadata: @@ -206,3 +212,6 @@ spec: # - name: cypress-cache # persistentVolumeClaim: # claimName: cypress-cache + - name: publisher-auth + secret: + secretName: $(tt.params.publisher-auth-secret-name) diff --git a/tekton/v1/triggers/templates/_/build-component-single-platform.yaml b/tekton/v1/triggers/templates/_/build-component-single-platform.yaml index 6c8746d6a..43373daf9 100644 --- a/tekton/v1/triggers/templates/_/build-component-single-platform.yaml +++ b/tekton/v1/triggers/templates/_/build-component-single-platform.yaml @@ -40,6 +40,9 @@ spec: default: "" - name: boskos-server-url default: "http://boskos" + - name: publisher-auth-secret-name + description: Name of the Secret containing publisher basic auth credentials. + default: publisher-auth - name: publisher-url default: "https://publisher.pingcap.net" - name: git-instead-of @@ -134,3 +137,6 @@ spec: - name: mac-ssh-credentials # for darwin platforms secret: secretName: mac-ssh-credentials + - name: publisher-auth + secret: + secretName: $(tt.params.publisher-auth-secret-name) diff --git a/tekton/v1/triggers/templates/pingcap/ctl/build-component-single-platform.yaml b/tekton/v1/triggers/templates/pingcap/ctl/build-component-single-platform.yaml index afda93197..2ca5271cd 100644 --- a/tekton/v1/triggers/templates/pingcap/ctl/build-component-single-platform.yaml +++ b/tekton/v1/triggers/templates/pingcap/ctl/build-component-single-platform.yaml @@ -38,6 +38,9 @@ spec: default: "{}" - name: force-builder-image default: "" + - name: publisher-auth-secret-name + description: Name of the Secret containing publisher basic auth credentials. + default: publisher-auth - name: publisher-url default: "https://publisher.pingcap.net" resourcetemplates: @@ -108,3 +111,6 @@ spec: resources: requests: storage: $(tt.params.source-ws-size) + - name: publisher-auth + secret: + secretName: $(tt.params.publisher-auth-secret-name)